remcos: 5a1e57f7b0 — v1.7 Pro sibling, enlarged RCData config (531 bytes)

Executive Summary Remcos RAT v1.7 Pro build, Jan 2017. Cluster sibling to 0f723826; identical string profile and build fingerprint, but SETTINGS RCData blob is 531 bytes (2.2x larger than sibling’s 245 bytes), indicating a different builder configuration. No packer, no obfuscation. Static-only — CAPE skipped (no Windows guest).

What It Is

PE32 GUI, 94 KB, compiled Thu Jan 5 2017 19:50:13 UTC. ^[file.txt] ^[exiftool.json:15] Linker 6.0, MSVC C++ with MSVCP60.dll STL runtime. ^[pefile.txt:32] ^[rabin2-info.txt:11] Unsigned. ^[rabin2-info.txt:27] Filename on disk: Backdoor.exe. ^[metadata.json:4]

How It Works

Cluster sibling to 0f723826 (see remcos entity page). Same builder emitted both: identical Breaking-Security.Net vendor string, ^[strings.txt:207] same 1.7 Pro version, ^[strings.txt:203] identical Remcos_Mutex_Inj singleton mutex, ^[strings.txt:168] same sandbox indicator strings (SbieDll.dll, HARDWARE\ACPI\DSDT\VBOX__, PROCMON_WINDOW_CLASS, PROCEXPL), ^[strings.txt:40-43] same command vocabulary (upload, download, scrcap, miccapture, proclist, keepaliveoff, etc.). ^[strings.txt:205-275]

Per-sample delta: the encrypted RCData SETTINGS blob is 0x213 (531 bytes) vs 0xF5 (245 bytes) in 0f723826. ^[pefile.txt:704] The blob is not decrypted in static; its enlarged size implies a different builder configuration — more C2 hosts, longer credentials, or additional feature flags. Same FindResourceA → LoadResource → LockResource → SizeofResource bootstrap in main to extract it. ^[pefile.txt:226-229]

Decompiled Behavior

main (0x00407452): ^[r2:main]

• Constructs std::basic_string objects via MSVCP60.dll for all path and registry operations.
• Opens Remcos_Mutex_Inj mutex; if already present, exits silently.
• Reads ProductName from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion to fingerprint the OS.
• Checks Software\Software\ reg key for injection marker (Inj subkey), then creates Remcos_Mutex_Inj.
• Reads builder-config feature flags from the decrypted SETTINGS blob (offets 0–20 in the blob map to boolean switches for keylogger, screenshot, mic, webcam, etc.).
• Spawns worker threads via CreateThread for C2 socket loop, keylogger, and periodic keep-alive.

fcn.00402b5b: registry helper manipulating HKCU\Software\Classes\mscfile\shell\open\command for the eventvwr UAC bypass, with origmsc backup/restoration tag. ^[strings.txt:68-69]

fcn.0040f8bf: appears to be the thread entry point for C2 communication — calls WS2_32 socket/connect, sends [DataStart] delimited frames, and loops on recv. ^[r2:fcn.0040f8bf]

C2 Infrastructure

No plaintext C2 in strings — runtime-decrypted from SETTINGS RCData blob. Protocol inferred:

• Raw TCP over WS2_32 (ordinal imports: socket, connect, send, recv, WSAStartup). ^[pefile.txt:582-590]
• Frame delimiter: [DataStart] / [DataStart]0000. ^[strings.txt:59-60]
• Keep-alive heartbeat with configurable timeout. ^[strings.txt:61-65]
• Fallback HTTP download: URLDownloadToFileA and InternetOpenUrlA for payload updates. ^[pefile.txt:599-633]

Interesting Tidbits

• SETTINGS blob 531 bytes is the largest Remcos RCData observed in this corpus. Prior sibling 0f723826 had 245 bytes; the doubling suggests either multi-host C2 fallback or a richer feature set enabled in this builder run.
• The Backdoor.exe filename (from metadata) and absence of any masquerade version-info strings suggests this was a direct builder output, not a repacked dropper.
• No process-hollowing payload stage observed in decompile — the VirtualAllocEx / WriteProcessMemory / NtUnmapViewOfSection imports may be used for self-relocation or child-process injection rather than a separate payload.
• C++ code uses std::basic_string for every operation, including simple numeric comparisons; the builder emits heavy STL boilerplate. ^[strings.txt:444-500]

How To Mess With It (Homelab Replication)

1. Build a comparable stub in MSVC 2013+ (or use the MSVCP60 redist for authenticity):
   • Static-link MSVCP60 or use /MT with VC6 toolchain.
   • Embed a SETTINGS RCData resource with a simple XOR-encrypted blob.
   • Import FindResourceA, LoadResource, LockResource, SizeofResource.
2. Add WS2_32 socket/connect, send/recv, and a [DataStart] delimiter string.
3. Add Win32 SetWindowsHookExA for keylogger simulation.
4. Add RegSetValueExA writes to Software\Microsoft\Windows\CurrentVersion\Run.
5. Run capa — should hit: "interact with network", "capture webcam", "capture microphone", "log keystrokes", "modify registry", "create mutex".
6. What you’ll learn: how a small C++ stub with STL strings and raw sockets maps to a commodity RAT capa fingerprint.

Deployable Signatures

YARA

rule remcos_v17_pro_settings_rcdata {
    meta:
        author      = "packetpursuit"
        description = "Remcos RAT v1.7 Pro — SETTINGS RCData + string constellation"
        family      = "remcos"
        date        = "2026-06-04"
    strings:
        $a = "Remcos_Mutex_Inj" ascii wide
        $b = "Breaking-Security.Net" ascii wide
        $c = "1.7 Pro" ascii wide
        $d = "[DataStart]" ascii wide
        $e = "eventvwr.exe" ascii wide
        $f = "origmsc" ascii wide
        $g = "SETTINGS" wide
        $h = { 6D 73 63 66 69 6C 65 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 } // mscfile\shell\open\command
    condition:
        uint16(0) == 0x5A4D and
        for any i in (0..pe.number_of_resources-1) : (
            pe.resources[i].name_string == "SETTINGS\x00"
        ) and
        4 of ($a, $b, $c, $d, $e, $f) and
        pe.imports(/MSVCP60/i) and
        pe.imports(/WS2_32/i)
}

Note: YARA PE resource-matching on names requires pe.resources[i].name == "SETTINGS" (YARA 4.x); substitute %SETTINGS% or use hex signature on the resource directory if name matching is unavailable.

Sigma Rule

title: Remcos eventvwr UAC bypass registry hijack
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        EventType: SetValue
        TargetObject|contains: '\Software\Classes\mscfile\shell\open\command'
    condition: selection
falsepositives:
    - Legitimate admin tools temporarily modifying handler (rare)
level: high

IOC List

Behavioral Fingerprint

A 94 KB PE32 GUI with MSVCP60 STL imports, no packer, containing an RT_RCDATA resource named SETTINGS of 245–530 bytes. On launch it creates the mutex Remcos_Mutex_Inj, reads ProductName from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion, then spawns one or more threads. Within 5 seconds it opens a raw TCP socket (WS2_32 ordinal imports), sends frames prefixed with [DataStart], and simultaneously installs registry persistence under Run and Winlogon keys. If executing with medium integrity, it hijacks HKCU\Software\Classes\mscfile\shell\open\command to launch eventvwr.exe and escalate. Browser credential files (Login Data, logins.json, cookies.sqlite) are accessed for theft or clearing.

Detection Signatures

capa signatures failed on this sample (signature path missing at analysis time). ^[capa.txt] Behavioral capability equivalents inferred from imports + strings + decompile mapping to ATT&CK:

• T1547.001 — Registry Run/Explorer Run keys
• T1547.004 — Winlogon Userinit
• T1548.002 — eventvwr UAC bypass
• T1056.001 / T1056.002 — Keylogger + clipboard capture
• T1113 — Screenshot (GDI/GDI+ APIs)
• T1123 — Microphone (WINMM waveIn)
• T1125 — Webcam capture
• T1057 — Process enumeration (Toolhelp32)
• T1217 — Browser credential theft (Chrome/Firefox/IE)
• T1071.001 — Raw TCP C2 with [DataStart] framing
• T1105 — Payload update via URLDownloadToFileA / InternetOpenUrlA
• T1497.001 — VM/sandbox string checks (VBOX__, Sandboxie)
• T1574.002 — Process hollowing indicators (NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory)

References

• remcos — family entity page
• eventvwr-uac-bypass — technique page for UAC auto-elevate bypass
• embedded-rcdata-config — concept page for encrypted RCData payload staging
• Breaking-Security.Net (Remcos vendor)

Provenance

Static artifacts: file.txt, exiftool.json, pefile.txt, strings.txt, rabin2-info.txt, binwalk.txt, metadata.json. Dynamic: dynamic-analysis.md (CAPE skipped — no Windows guest). Decompilation: radare2 (mcp_radare2 v5.x, aa level 3), entrypoint at 0x0040fd88, main at 0x00407452. Ghidra import queued (mcp_pyghidra) but code indexing not complete during session; radare2 pseudo-C used for all decompiled claims.